Hi all, It looks like syslog-ng 1.6.4 sometimes concatenates two messages into one. Here are samples from my maillog Jun 2 04:50:43 master sendmail[14615]: i521o1jN014615: <isqva@nsys.by>... User unknown Jun 2 04:50:46 master sendmail[14615]: i521o1jN014615: <ehmgcfrou@nsys.by>... User unknown Jun 2 04:50:50 master sendmail[14615]: i521o1jN014615: <tenjwdldmctu@nsys.by>... User unknown Jun 2 04:50:57 master sendmail[14743]: i521oiYS014743: <triunph@nsys.by>... User unknown<21>Jun 2 04:51:00 sendmail[14743]: i521oiYS014743: lost input cha nnel from [213.228.74.36] to MTA after rcpt Jun 2 04:51:07 master sendmail[14794]: i521p4pU014794: <triunph@nsys.by>... User unknown<21>Jun 2 04:51:07 sendmail[14794]: i521p4pU014794: lost input cha nnel from w425-02.ehs.emd.b19.tpu.edu.ru [195.208.183.82] (may be forged) to MTA after rcpt Any ideas? I use redhat enterprise linux 3, syslog-ng 1.6.4 and libol 0.3.13 Best, Vladislav
2004-06-02, sze keltezéssel 12:50-kor Vladislav Bogdanov ezt írta:
Hi all, It looks like syslog-ng 1.6.4 sometimes concatenates two messages into one. Here are samples from my maillog [snip]
Any ideas?
I use redhat enterprise linux 3, syslog-ng 1.6.4 and libol 0.3.13
Are these local messages or messages received from the network? -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
2004-06-02, sze keltezéssel 17:57-kor Vladislav Bogdanov ezt írta:
Balazs Scheidler wrote:
I use redhat enterprise linux 3, syslog-ng 1.6.4 and libol 0.3.13
Are these local messages or messages received from the network? local
ok, are these received using unix-dgram() or unix-stream()? can you attach an strace snippet which shows this behaviour? -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
Balazs Scheidler wrote:
2004-06-02, sze keltezéssel 17:57-kor Vladislav Bogdanov ezt írta:
Balazs Scheidler wrote:
I use redhat enterprise linux 3, syslog-ng 1.6.4 and libol 0.3.13
Are these local messages or messages received from the network?
local
ok, are these received using unix-dgram() or unix-stream()? can you attach an strace snippet which shows this behaviour?
source s_sys { pipe ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); }; hmm.. here is it --------------- read(20, "<21>Jun 3 14:17:57 sendmail[388"..., 2048) = 330 | 00000 3c 32 31 3e 4a 75 6e 20 20 33 20 31 34 3a 31 37 <21>Jun 3 14:17 | | 00010 3a 35 37 20 73 65 6e 64 6d 61 69 6c 5b 33 38 38 :57 send mail[388 | | 00020 35 5d 3a 20 69 35 33 42 48 73 71 30 30 30 33 38 5]: i53B Hsq00038 | | 00030 38 35 3a 20 6c 6f 73 74 20 69 6e 70 75 74 20 63 85: lost input c | | 00040 68 61 6e 6e 65 6c 20 66 72 6f 6d 20 62 7a 71 2d hannel f rom bzq- | | 00050 32 31 38 2d 31 31 35 2d 37 35 2e 72 65 64 2e 62 218-115- 75.red.b | | 00060 65 7a 65 71 69 6e 74 2e 6e 65 74 20 5b 38 31 2e ezeqint. net [81. | | 00070 32 31 38 2e 31 31 35 2e 37 35 5d 20 74 6f 20 4d 218.115. 75] to M | | 00080 54 41 20 61 66 74 65 72 20 72 63 70 74 3c 32 32 TA after rcpt<22 | | 00090 3e 4a 75 6e 20 20 33 20 31 34 3a 31 37 3a 35 37 >Jun 3 14:17:57 | | 000a0 20 73 65 6e 64 6d 61 69 6c 5b 33 38 38 35 5d 3a sendmai l[3885]: | | 000b0 20 69 35 33 42 48 73 71 30 30 30 33 38 38 35 3a i53BHsq 0003885: | | 000c0 20 66 72 6f 6d 3d 3c 6b 72 61 78 65 6c 62 62 79 from=<k raxelbby | | 000d0 40 62 6f 75 74 68 6f 72 73 2e 6f 72 67 3e 2c 20 @bouthor s.org>, | | 000e0 73 69 7a 65 3d 30 2c 20 63 6c 61 73 73 3d 30 2c size=0, class=0, | | 000f0 20 6e 72 63 70 74 73 3d 31 2c 20 70 72 6f 74 6f nrcpts= 1, proto | | 00100 3d 45 53 4d 54 50 2c 20 64 61 65 6d 6f 6e 3d 4d =ESMTP, daemon=M | | 00110 54 41 2c 20 72 65 6c 61 79 3d 62 7a 71 2d 32 31 TA, rela y=bzq-21 | | 00120 38 2d 31 31 35 2d 37 35 2e 72 65 64 2e 62 65 7a 8-115-75 .red.bez | | 00130 65 71 69 6e 74 2e 6e 65 74 20 5b 38 31 2e 32 31 eqint.ne t [81.21 | | 00140 38 2e 31 31 35 2e 37 35 5d 00 8.115.75 ]. | write(13, "Jun 3 14:17:57 master sendmail["..., 333) = 333 | 00000 4a 75 6e 20 20 33 20 31 34 3a 31 37 3a 35 37 20 Jun 3 1 4:17:57 | | 00010 6d 61 73 74 65 72 20 73 65 6e 64 6d 61 69 6c 5b master s endmail[ | | 00020 33 38 38 35 5d 3a 20 69 35 33 42 48 73 71 30 30 3885]: i 53BHsq00 | | 00030 30 33 38 38 35 3a 20 6c 6f 73 74 20 69 6e 70 75 03885: l ost inpu | | 00040 74 20 63 68 61 6e 6e 65 6c 20 66 72 6f 6d 20 62 t channe l from b | | 00050 7a 71 2d 32 31 38 2d 31 31 35 2d 37 35 2e 72 65 zq-218-1 15-75.re | | 00060 64 2e 62 65 7a 65 71 69 6e 74 2e 6e 65 74 20 5b d.bezeqi nt.net [ | | 00070 38 31 2e 32 31 38 2e 31 31 35 2e 37 35 5d 20 74 81.218.1 15.75] t | | 00080 6f 20 4d 54 41 20 61 66 74 65 72 20 72 63 70 74 o MTA af ter rcpt | | 00090 3c 32 32 3e 4a 75 6e 20 20 33 20 31 34 3a 31 37 <22>Jun 3 14:17 | | 000a0 3a 35 37 20 73 65 6e 64 6d 61 69 6c 5b 33 38 38 :57 send mail[388 | | 000b0 35 5d 3a 20 69 35 33 42 48 73 71 30 30 30 33 38 5]: i53B Hsq00038 | | 000c0 38 35 3a 20 66 72 6f 6d 3d 3c 6b 72 61 78 65 6c 85: from =<kraxel | | 000d0 62 62 79 40 62 6f 75 74 68 6f 72 73 2e 6f 72 67 bby@bout hors.org | | 000e0 3e 2c 20 73 69 7a 65 3d 30 2c 20 63 6c 61 73 73 >, size= 0, class | | 000f0 3d 30 2c 20 6e 72 63 70 74 73 3d 31 2c 20 70 72 =0, nrcp ts=1, pr | | 00100 6f 74 6f 3d 45 53 4d 54 50 2c 20 64 61 65 6d 6f oto=ESMT P, daemo | | 00110 6e 3d 4d 54 41 2c 20 72 65 6c 61 79 3d 62 7a 71 n=MTA, r elay=bzq | | 00120 2d 32 31 38 2d 31 31 35 2d 37 35 2e 72 65 64 2e -218-115 -75.red. | | 00130 62 65 7a 65 71 69 6e 74 2e 6e 65 74 20 5b 38 31 bezeqint .net [81 | | 00140 2e 32 31 38 2e 31 31 35 2e 37 35 5d 0a .218.115 .75]. | ---------- And... I looked into sysklogd (which is known to fork fine with this) sources, they always open /dev/log as dgram. If I use unix-dgram instead of unix-stream, problem disappears. :) It is likely to be a typo in contrib/syslog-ng.conf.RedHat which I copied into running config without deep investigation. :) So, I think problem is closed. Best, Vladislav
participants (2)
-
Balazs Scheidler
-
Vladislav Bogdanov